Designing for security
Got a favourite security tool? No? You’re not alone. Most people don’t have a “favourite” because most people don’t even think about their digital security until they see a news story about the latest data breach, or they receive an email from Facebook saying their account has been hacked.
If pressed, many will default to anti-virus software. Not because people love scanning their computers for viruses, but because most people feel anxious about security. They view it as something they should do, begrudgingly. And that’s why so few people take the time to educate themselves about the countless risks our connected world presents, or the many tools currently available to address those risks.
For us at Peerio, it became clear early on that user education is vital in changing people’s perceptions about security tools.
Balancing security and user experience (UX)
For a long time, security tool developers have treated UX as an afterthought, often exemplified by curt error messages (like “FATAL ERROR” or “SEC_ERROR_UNKNOWN_ISSUER”) pointing out the ways you somehow messed up an otherwise brilliant security tool.
This “IT-knows-best” attitude has led to the misconception that digital security tools must be complex and hard to use. We’ve been (incorrectly) taught that if a tool doesn’t come with a giant manual, or a tedious setup process, we can’t trust it to protect our most important data.
“Wow, that encryption tool seems really complex so it must be good, right?” Wrong. This is not necessarily true.
For example, Peerio uses end-to-end encryption (E2EE), the strongest form of encryption available for messaging. This level of encryption requires an expert level of cryptography. Yet, from a UX point of view, we at Peerio focus on using simple intuitive design. Why? Because good design and UX aren’t just aesthetic concerns, they are also a matter of good security. And while security professionals need to catch up to modern developments in UX design, designers also have a lot of catching up to do when it comes to designing for security.
We’re all conditioned to expect a certain amount of friction from our security tools. The second something feels easy, we feel it is less secure. If an app isn’t constantly putting up walls to stop us from doing something wrong, how do we know it’s working?
Our team has seen it countless times in user tests. People move quickly through account creation and start using Peerio immediately. Then, a few minutes later, almost without fail, they’ll ask things like, “so, how do I turn on the encryption?” or “what parts of the app are the secure parts?” The balance between a person’s engagement, their sense of security, and their actual security is quite delicate.
During an early round of testing, 75% of the people we spoke to believed that a hexadecimal Account Key (a random combination the numbers 0-9 and the letters A-F) was more secure than an Account key made of randomly selected words. In reality, the security of both these types of keys are roughly the same.
Security UX design principles
“Nothing that is not simple and direct can survive the slow transmission from person to person.” - The Timeless Way of Building by Christopher Alexander
Create clarity with a straightforward design
We want to lower the barrier of entry for encryption and security tools. One way we do this is by removing walls of tech jargon and needlessly elaborate user flows. We reduce complexity by using simple direct language and common design patterns.
For example, Peerio’s account creation flow is focused on putting new (and possibly anxious) users at ease. That’s why our first few steps are common requests. We simply ask for their name, email, and username. It’s only at the very end, when the app generates the Account Key, that we deviate from the account creation process they’re familiar with.
At this point, we take them on a journey:
- an animation plays to indicate that a complex operation is taking place
- we emphasize the security and importance of the Account Key by citing research on computer-generated passwords
- then, to lighten the mood, we follow that information with a joke about how difficult it is for other people to discover this key
We help people embrace security by showing them that being secure doesn’t have to be complex or disruptive to their workflow. We call attention to security by accentuating it when it matters. We do this with fun illustrations, clear easy to understand language, and simple animations.
In Peerio, our animations draw attention to Peerio’s security features.
For example, during the Account Key process, we show users an animation to say, “Hey, this is important, pay attention.” By using an animation to “generate the Account Key,” we build a hero moment and give users a satisfying reveal of their “Key”.
On Peerio’s mobile app, loading animations remind users they’re using a secure communications tool. The sliding doors unlock then open to reveal their secure space. It’s transparent about what’s going on and also gives the illusion of speed.
Good design is good security
At Peerio we are not only passionate about security, but we are also passionate about people. We want to build tools that people not only love to use but will also keep their data secure. These goals may seem at odds, but we think they’re achievable. Private communication should be as easy as sending an email or text message. Storing and sharing encrypted files shouldn’t require a computer science degree.
Building great tools requires a lot of smart people working together to ensure everyone’s data is well protected. I would know, I work with these people every day. Our developers and cryptographers are pushing the envelope daily to build a strong platform for the design team to create a clean intuitive interface on top of.
As designers, our first priority is to the people using our products. Good design provides clarity to an otherwise complex problem. With intuitive UX and clear UI, we can show people that improving their security isn’t a complicated, time-consuming chore. When we demystify the black box of digital security tools, people feel confident using them. With that confidence, users feel secure and empowered.
We don’t want people to forget about security when they’re using Peerio. We just don’t want it at the forefront of their minds either. When we’re at home, we’re not constantly concerned with our physical security. Sure, we have passing thoughts like, did I lock the door? or did I turn off the stove? But we’re not consumed by these thoughts. We make assumptions. We’re home. We’re safe. We’re secure. That’s how people should feel with Peerio. And that’s the monumental task our team is working on. Peerio is secure by default, and like your house, you have the key. You decide who gets in.